Show a macOS notification when GPG is waiting for you to tap/touch a security device (e.g. YubiKey).

Overview

GPG Tap Notifier (for macOS)

GPG Tap Notifier is a Swift rewrite of klali/scdaemon-proxy for macOS.

What does it do?

This app provides reminders to touch your security devices (e.g. YubiKeys) on macOS through a native notification.

macOS Notification Screenshot

How does it work?

The gpg-agent and scdaemon tools currently lack a builtin mechanism to alert external processes when it's waiting for human input to a smartcard.

Using a YubiKey as an example of a smartcard, a git commit triggers the following sequence of communication.

Flowchart of git commit and YubiKey communication

This tool takes the scdaemon portion and wraps its communication with gpg-agent. Specifically, gpg-agent is configured to execute the GpgTapNotifierAgent binary, which in turn executes scdaemon. Messages from gpg-agent are forwarded to scdaemon, and any 1 second delay from scdaemon's responses is assumed to be due to a user input requirement.

Flowchart of git commit and YubiKey with scdaemon proxy installed

Communication between scdaemon and the smartcard (YubiKey) happen as normal.

This technique was demonstrated to work reliably at klali/scdaemon-proxy. The tool here simply re-implements the logic in Swift and adds a configurational user interface to make setup easier. This version of the tool would not exist without the original. As such, we've retained licence copyrights to credit it where appropriate.

FAQ

I'm seeing "signing failed: No SmartCard daemon" errors

If you see the following error:

gpg: signing failed: No SmartCard daemon
gpg: [stdin]: clear-sign failed: No SmartCard daemon

It's likely the GPG Tap Notifier.app was moved after it was configured. This causes ~/.gnupg/gpg-agent.conf to refer to a value of scdaemon-program that no longer exists on the file system. Opening GPG Tap Notifier.app and setting it back to Enabled it should fix this problem.

Does this work for Web Browsers?

It does not. YubiKeys support different interfaces and WebAuthn is a different interface than the OpenPGP interface. Fortunately this tool isn't necessary for WebAuthn since most web browsers will tell you it's waiting on input from a security key. (As opposed to git and gpg, which provide no indicators.)

Comments
  • Open a modal alert when agent fails to execute scdaemon process

    Open a modal alert when agent fails to execute scdaemon process

    Problem

    A user reported their GPG setup showing strange errors asking them to "Please insert card with serial number..." and root caused it to scdaemon paths changing after a brew upgrade. This change should make it more clear in future scenarios that GPG Tap Notifier configuration is incorrect.

    Process execution failure information is currently logged to stderr and the macOS unified logging system, but it'd be more helpful to surface this visually.

    Changes

    A modal alert now appears if scdaemon failed to execute. This will now appear alongside the "Please insert card with serial number..." error from GPG itself.

    Screenshot 2022-11-07 at 12 42 44 AM

    Followups

    It'd also be helpful to show status indicators in the GPG Tap Notifier configuration app when one of the selected paths are missing.

    opened by gluxon 0
  • Show NSAlert on NSScreen.main

    Show NSAlert on NSScreen.main

    Problem

    A user reported that the NSAlert animated from one monitor to another on a dual monitor setup. I was able to reproduce this by having my active window on the non-primary monitor and hitting "Test Notification".

    https://user-images.githubusercontent.com/906558/181792536-e5ce29f4-8247-4cf0-a99e-22ad5efe1ad2.mov

    Changes

    Fixing the problem in 2 ways.

    1. This problem appears unique to NSAlert instances tied to a zero width/height window. Setting the alert window to be 1px x 1px prevents the problem.
    2. To prevent a permanent 1px x 1px window from persisting on the screen, we're no longer caching the window. It's mow recreated when the alert appears/disappears.
    opened by gluxon 0
  • Update default notification text to put less emphasis on

    Update default notification text to put less emphasis on "reminding"

    A teammate gave feedback that this application isn't "reminding" users as much as it puts a user interface to the act of confirming commit message signatures. I think that's right.

    Updating default language accordingly. New text is:

    A GPG signature has been requested. If you initiated this action, tap your YubiKey's metal contact to confirm.

    Before

    Screen Shot 2022-07-25 at 4 00 43 PM

    Screen Shot 2022-07-25 at 4 01 14 PM

    After

    Screen Shot 2022-07-25 at 4 21 13 PM

    Screen Shot 2022-07-25 at 4 20 52 PM

    opened by gluxon 0
  • Switch default reminder delivery mechanism to Alert from Notification and reduce delay to 0.5s

    Switch default reminder delivery mechanism to Alert from Notification and reduce delay to 0.5s

    This switches the delivery mechanism default from Notification to Alert HUD and reduces the timeout from 1.0s to 0.5s.

    |Before|Now| |-|-| |Screen Shot 2022-07-06 at 2 58 26 AM|Screen Shot 2022-07-06 at 2 55 09 AM|

    Screen Shot 2022-07-06 at 2 47 02 AM

    I believe this will provide a better out of the box experience for most users. I find that macOS notifications are generally meant for communication (e.g. email, Slack) rather than system utilities. The centered system alert better matches other macOS security prompts (e.g. Touch ID, sudo).

    opened by gluxon 0
  • Limit notification tests to 3 seconds

    Limit notification tests to 3 seconds

    Followup to the "Test Notification" message introduced in https://github.com/palantir/gpg-tap-notifier-macos/pull/12. The test reminder now dismisses itself after 3 seconds.

    If the agent needs to request permission to show notifications, that time is not included in the 3 second timeout.

    Demo

    https://user-images.githubusercontent.com/906558/177477813-f6198fb8-ed71-4fc3-8da3-fa06a462dd6c.mov

    opened by gluxon 0
  • fix: Wait for notification authorization before sending first reminder

    fix: Wait for notification authorization before sending first reminder

    Before this change, the agent would request authorization to display notifications and send the initial tap reminder at the same time.

    This results in a minor bug where the initial tap reminder would always fail to display.

    The agent now properly waits for requestAuthorization() before presenting any notifications. If the smart card has not yet been tapped, the reminder will display after the user accepts notifications.

    https://user-images.githubusercontent.com/906558/177049960-f4699f06-8631-439d-ade2-f198ace9833d.mov

    opened by gluxon 0
  • feat: Add button to test notifications in the config UI

    feat: Add button to test notifications in the config UI

    Changes

    Adding a new "Test Notification" button. If users haven't authorized notifications from the agent yet, clicking the test button will ask for permission.

    Screen Shot 2022-07-03 at 12 56 19 PM

    Demo

    https://user-images.githubusercontent.com/906558/177049660-a982a17a-115b-4d01-8b9d-fa09ba29bdac.mov

    opened by gluxon 0
  • fix: Remove existing notifications before presenting another

    fix: Remove existing notifications before presenting another

    The agent's current behavior is to display multiple notifications at once if the present() method is called sequentially without an intermediate dismiss() call.

    In theory this can happen if users GPG sign in different terminal tabs without acting on previous sign requests. In this case, only the latest notification would be cleared, which is a bug.

    This change was prompted by a future commit refactoring present() to be an async method. The checkedContinuation API forced better handling of this scenario since a continuation discarded without resuming log a warning.

    opened by gluxon 0
  • Redesign delivery mechanism chooser and group settings into tab view

    Redesign delivery mechanism chooser and group settings into tab view

    Redesigning the delivery mechanism chooser into something more similar to macOS's notification preferences selector. To prevent the config UI from becoming too vertically long, the various config settings are now grouped into a TabView.

    Before

    Screen Shot 2022-07-02 at 12 47 19 AM

    After

    Screen Shot 2022-07-02 at 12 45 50 AM
    opened by gluxon 0
  • feat: Provide NSAlert backed alternative to Notification Center messages

    feat: Provide NSAlert backed alternative to Notification Center messages

    This PR implements a reminder mechanism driven by NSAlert.

    Screen Shot 2022-06-11 at 6 28 29 PM

    Here's a video of the alert being shown and dismissed.

    https://user-images.githubusercontent.com/906558/173206854-94fcfabe-62ca-4ba9-bf46-a852541724a8.mov

    Switching between the 2 delivery mechanisms does not require a restart.

    https://user-images.githubusercontent.com/906558/173206853-269f09f4-f4fd-4c49-8a2e-3c4a8c3b8891.mov

    opened by gluxon 0
  • Add --no-repeat-install flag to enable command

    Add --no-repeat-install flag to enable command

    Adding a new --no-repeat-install flag to the installer.

    ❯ ./GPG\ Tap\ Notifier.app/Contents/Library/GPG\ Tap\ Notifier\ Installer enable --help
    USAGE: main-command enable [--no-repeat-install]
    
    OPTIONS:
      --no-repeat-install     Do not perform any actions if this command has already ran.
                              This avoids re-enabling the app on upgrades if users have
                              opened the GUI and disabled it.
      -h, --help              Show help information.
    

    Testing

    Quick smoke test to make sure this works as expected.

    ❯ ./GPG\ Tap\ Notifier.app/Contents/Library/GPG\ Tap\ Notifier\ Installer enable --no-repeat-install
    
    ❯ cat ~/.gnupg/gpg-agent.conf
    default-cache-ttl 600
    max-cache-ttl 7200
    # --- Start of GPG Tap Notifier Modifications ---
    # The lines in this section were automatically added by GPG Tap Notifier.app.
    # Any manual edits in this section may be reset. This section can be safely
    # deleted if you wish to uninstall the GPG Tap Notifier app.
    scdaemon-program /Users/bcheng/Library/Developer/Xcode/DerivedData/GPG_Tap_Notifier-dlkqpxdmlxgdlhaihnrsropwcyzu/Build/Products/Debug/GPG Tap Notifier.app/Contents/Library/GPG Tap Notifier Agent.app/Contents/MacOS/GPG Tap Notifier Agent
    # --- End of GPG Tap Notifier Modifications ---
    
    ❯ ./GPG\ Tap\ Notifier.app/Contents/Library/GPG\ Tap\ Notifier\ Installer disable
    
    ❯ ./GPG\ Tap\ Notifier.app/Contents/Library/GPG\ Tap\ Notifier\ Installer enable --no-repeat-install
    Exiting with no modifications. This command has already ran successfully in the past.
    
    ❯ cat ~/.gnupg/gpg-agent.conf
    default-cache-ttl 600
    max-cache-ttl 7200
    
    opened by gluxon 0
  • not receiving notifications

    not receiving notifications

    the whole flow is working, but i'm not receiving any notification. i tried both notification and alert-hud modes, and both work with the "test notification" button. but when the yubikey blinks, requesting the touch, i don't receive any notification.

    • notifications enabled
    • "do not disturb" disabled
    • not sharing screen
    • yubikey 5c nfc, firmware v5.4.3
    • gnupg v2.3.8 (via homebrew)
    • pinentry-mac v1.1.1 (via homebrew)
    • macos v13.1 ventura
    • no gpg-suite
    Screenshot 2023-01-03 at 19 56 16
    # ~/.gnupg/gpg-agent.conf
    
    pinentry-program /opt/homebrew/bin/pinentry-mac
    log-file $HOME/.gnupg/gpg-agent.log
    enable-ssh-support
    debug-level basic
    ttyname $GPG_TTY
    # --- Start of GPG Tap Notifier Modifications ---
    # The lines in this section were automatically added by GPG Tap Notifier.app.
    # Any manual edits in this section may be reset. This section can be safely
    # deleted if you wish to uninstall the GPG Tap Notifier app.
    scdaemon-program /Applications/GPG Tap Notifier.app/Contents/Library/GPG Tap Notifier Agent.app/Contents/MacOS/GPG Tap Notifier Agent
    # --- End of GPG Tap Notifier Modifications ---
    
    opened by cruzdanilo 0
  • Excavator:  Update policy-bot config

    Excavator: Update policy-bot config

    excavator is a bot for automating changes across repositories.

    Changes produced by the excavator/policy-bot-oss check.

    To enable or disable this check, please contact the maintainers of Excavator.

    no changelog 
    opened by svc-excavator-bot 0
Releases(v0.3.4)
  • v0.3.4(Nov 7, 2022)

  • v0.3.3(Jul 29, 2022)

    What's Changed

    • Show NSAlert on NSScreen.main. This fixes a bug causing the alert to move from one screen to another in a dual monitor setup. https://github.com/palantir/gpg-tap-notifier-macos/pull/21

    Full Changelog: https://github.com/palantir/gpg-tap-notifier-macos/compare/v0.3.2...v0.3.3

    Build

    Release artifacts generated from GitHub actions: https://github.com/palantir/gpg-tap-notifier-macos/actions/runs/2761643931

    Source code(tar.gz)
    Source code(zip)
    GPG.Tap.Notifier.0.3.3.dmg(1.49 MB)
    GPG_Tap_Notifier.pkg(1.48 MB)
    GPG_Tap_Notifier.zip(1.47 MB)
  • v0.3.2(Jul 25, 2022)

    What's Changed

    • Use sindresorhus/create-dmg to create more mature .dmg https://github.com/palantir/gpg-tap-notifier-macos/pull/19
    • Update default notification text to put less emphasis on "reminding" https://github.com/palantir/gpg-tap-notifier-macos/pull/20

    Full Changelog: https://github.com/palantir/gpg-tap-notifier-macos/compare/v0.3.1...v0.3.2

    Build

    Release artifacts generated from GitHub actions: https://github.com/palantir/gpg-tap-notifier-macos/actions/runs/2735138068

    Source code(tar.gz)
    Source code(zip)
    GPG.Tap.Notifier.0.3.2.dmg(1.49 MB)
    GPG_Tap_Notifier.pkg(1.48 MB)
    GPG_Tap_Notifier.zip(1.47 MB)
  • v0.3.1(Jul 10, 2022)

    What's Changed

    • fix: Show gpg-agent.conf read errors in the UI https://github.com/palantir/gpg-tap-notifier-macos/pull/17
    • Add .zip and .pkg builds to releases https://github.com/palantir/gpg-tap-notifier-macos/pull/18

    Full Changelog: https://github.com/palantir/gpg-tap-notifier-macos/compare/v0.3.0...v0.3.1

    Build

    Release artifacts generated from GitHub actions: https://github.com/palantir/gpg-tap-notifier-macos/actions/runs/2643609429

    Source code(tar.gz)
    Source code(zip)
    GPG_Tap_Notifier.dmg(1.65 MB)
    GPG_Tap_Notifier.pkg(1.48 MB)
    GPG_Tap_Notifier.zip(1.47 MB)
  • v0.3.0(Jul 6, 2022)

    What's Changed

    • The default reminder delivery mechanism is now "Alert HUD". While some users will prefer the previous "Notification" style, we think the new default will serve most users better. The default timeout before a reminder is shown has also been reduced from 1 second to 0.5 seconds to improve responsiveness. https://github.com/palantir/gpg-tap-notifier-macos/pull/16

      |Before|Now| |-|-| |Screen Shot 2022-07-06 at 2 58 26 AM|Screen Shot 2022-07-06 at 2 55 09 AM|

    • The delivery mechanism chooser has been redesigned, and other settings are now grouped into a tab view https://github.com/palantir/gpg-tap-notifier-macos/pull/9

      Screen Shot 2022-07-06 at 3 03 53 AM
    • feat: Add button to test notifications in the config UI https://github.com/palantir/gpg-tap-notifier-macos/pull/12

    Minor

    • fix: Remove existing notifications before presenting another https://github.com/palantir/gpg-tap-notifier-macos/pull/11
    • fix: Wait for notification authorization before sending first reminder https://github.com/palantir/gpg-tap-notifier-macos/pull/13
    • Only animate gpg-agent.conf spinner while it fades out https://github.com/palantir/gpg-tap-notifier-macos/pull/10

    Full Changelog: https://github.com/palantir/gpg-tap-notifier-macos/compare/v0.2.0...v0.3.0


    Release artifacts generated from GitHub actions.

    Source code(tar.gz)
    Source code(zip)
    GPG_Tap_Notifier.dmg(1.65 MB)
  • v0.2.0(Jun 16, 2022)

    What's Changed

    • fix: Update the "Enabled" Toggle to reflect gpg-agent.conf disk state by @gluxon in https://github.com/palantir/gpg-tap-notifier-macos/pull/5
    • Add --no-repeat-install flag to enable command by @gluxon in https://github.com/palantir/gpg-tap-notifier-macos/pull/6
    • feat: Provide NSAlert backed alternative to Notification Center messages by @gluxon in https://github.com/palantir/gpg-tap-notifier-macos/pull/7
    • Add open configuration button to notification by @gluxon in https://github.com/palantir/gpg-tap-notifier-macos/pull/8

    Full Changelog: https://github.com/palantir/gpg-tap-notifier-macos/compare/v0.1.1...v0.2.0


    Release artifacts generated from GitHub actions.

    Source code(tar.gz)
    Source code(zip)
    GPG_Tap_Notifier.dmg(1.58 MB)
  • v0.1.1(Jun 6, 2022)

    This release fixes a bug observed by users with debug-level set in scdaemon.conf.

    ❯ cat ~/.gnupg/scdaemon.conf
    debug-level advanced
    

    When this value was set, gpg failed on all smartcard related commands.

    ❯ gpg --card-status
    gpg: error getting version from 'scdaemon': No SmartCard daemon
    gpg: OpenPGP card not available: No SmartCard daemon
    

    The increased debug-level setting caused scdaemon to emit logs on stderr, which were improperly proxied to GPG Tap Notifier Agent's stdout due to a typo fixed in this release.


    Release artifacts generated from GitHub actions.

    Source code(tar.gz)
    Source code(zip)
    GPG_Tap_Notifier.dmg(1.54 MB)
  • v0.1.0(Jun 5, 2022)

Owner
Palantir Technologies
Palantir Technologies
Helps you easily handle Core Data's Persistent History Tracking

Persistent History Tracking Kit Helps you easily handle Core Data's Persistent History Tracking 中文版说明 What's This? Use persistent history tracking to

东坡肘子 27 Dec 27, 2022
Super awesome Swift minion for Core Data (iOS, macOS, tvOS)

⚠️ Since this repository is going to be archived soon, I suggest migrating to NSPersistentContainer instead (available since iOS 10). For other conven

Marko Tadić 306 Sep 23, 2022
V2RayXS: A simple GUI for Xray on macOS

V2RayXS: A simple GUI for Xray on macOS

tzmax 272 Dec 31, 2022
🍞 An async waiting toast with basic toast. Inspired by facebook posting toast

AwaitToast ?? An async waiting toast with basic toast. Inspired by facebook posting toast. Introduction Usage Default let toast: Toast = Toast.default

DongHee Kang 137 Jul 30, 2022
CodeBucket is the best way to browse and maintain your Bitbucket repositories on any iPhone, iPod Touch, and iPad device!

CodeBucket Description CodeBucket is the best way to browse and maintain your Bitbucket repositories on any iPhone, iPod Touch, and iPad device! Keep

Dillon Buchanan 196 Dec 22, 2022
A way to quickly add a notification badge icon to any view. Make any view of a full-fledged animated notification center.

BadgeHub A way to quickly add a notification badge icon to any view. Demo/Example For demo: $ pod try BadgeHub To run the example project, clone the r

Jogendra 772 Dec 28, 2022
A way to quickly add a notification badge icon to any view. Make any view of a full-fledged animated notification center.

BadgeHub A way to quickly add a notification badge icon to any view. Demo/Example For demo: $ pod try BadgeHub To run the example project, clone the r

Jogendra 773 Dec 30, 2022
An example implementation of using a native iOS Notification Service Extension (to display images in remote push notification) in Titanium.

Titanium iOS Notification Service Extension An example implementation of using a native iOS Notification Service Extension (to display images in remot

Hans Knöchel 8 Nov 21, 2022
Tutanota is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.

Tutanota makes encryption easy Tutanota is the secure email service with built-in end-to-end encryption that enables you to communicate securely with

Tutao GmbH 5k Dec 26, 2022
Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

Runtime Mobile Security (RMS) ?? ?? by @mobilesecurity_ Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to

Mobile Security 2k Dec 29, 2022
Mahmoud-Abdelwahab 5 Nov 23, 2022
A realistic reflective shimmer to SwiftUI Views that uses device orientation. Position any View relative to device orientation to appear as if through a window or reflected by the screen.

A 3d rotation effect that uses Core Motion to allow SwiftUI views to appear projected in a specific direction and distance relative to the device in r

Ryan Lintott 235 Dec 30, 2022
Simulate any device and settings on one simulator or device.

SwiftUI-Simulator Enables the following settings without settings or restarting the simulator or real device. Any device screen Light/Dark mode Locale

Yusuke Hosonuma 70 Dec 19, 2022
This library allows you to make any UIView tap-able like a UIButton.

UIView-TapListnerCallback Example To run the example project, clone the repo, and run pod install from the Example directory first. Installation UIVie

wajeehulhassan 8 May 13, 2022
Automatically audit your Mac for basic security hygiene.

Automatically audit your Mac for basic security hygiene The simplest security is the most important. 80% of hacks are caused by 20% of common preventa

null 229 Jan 6, 2023
Sideload iOS apps regardless of security settings

m1-ios-sideloader Sideload iOS apps regardless of security settings Notes Does not support encrypted IPAs at this time - you can grab decrypted IPAs w

Eric Rabil 20 Dec 4, 2022
Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities.

Description Oversecured Vulnerable iOS App is an iOS app that aggregates all the platform's known and popular security vulnerabilities. List of vulner

Oversecured Inc 135 Dec 15, 2022
Impervious is a privacy and security-focused browser with native DANE support and a decentralized p2p light client.

Impervious iOS The first browser with support for native DNS-Based Authentication of Named Entities (DANE) with true downgrade protection, and the fir

Impervious Inc 25 Jun 15, 2022
Virgil Core SDK allows developers to get up and running with Virgil Cards Service API quickly and add end-to-end security to their new or existing digital solutions to become HIPAA and GDPR compliant and more.

Virgil Core SDK Objective-C/Swift Introduction | SDK Features | Installation | Configure SDK | Usage Examples | Docs | Support Introduction Virgil Sec

Virgil Security, Inc. 27 Jul 26, 2022
Secure your app by obfuscating all the hard-coded security-sensitive strings.

App Obfuscator for iOS Apps Secure your app by obfuscating all the hard-coded security-sensitive strings. Security Sensitive strings can be: REST API

pj 601 Dec 16, 2022